diff --git a/CHANGES b/CHANGES index 91a2d51890..c393cc2395 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ - --- 9.10.5 released --- + --- 9.10.5rc2 released --- + +4578. [security] Some chaining (CNAME or DNAME) responses to upstream + queries could trigger assertion failures. + (CVE-2017-3137) [RT #44734] 4575. [security] DNS64 with "break-dnssec yes;" can result in an assertion failure. (CVE-2017-3136) [RT #44653] diff --git a/README b/README index c7b51736fa..6b108a8554 100644 --- a/README +++ b/README @@ -56,7 +56,7 @@ BIND 9.10.5 BIND 9.10.5 is a maintenance release and addresses the security flaws disclosed in CVE-2016-2775, CVE-2016-2776, CVE-2016-6170, CVE-2016-8864, CVE-2016-9131, CVE-2016-9147, CVE-2016-9444, - CVE-2017-3135, and CVE-2017-3136, + CVE-2017-3135, CVE-2017-3136, and CVE-2017-3137. BIND 9.10.4 diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 99de352058..8f5fcd43ab 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -69,11 +69,18 @@
Security Fixes + + + Some chaining (i.e., type CNAME or DNAME) responses to upstream + queries could trigger assertion failures. This flaw is disclosed + in CVE-2017-3137. [RT #44734] + + dns64 with break-dnssec yes; can result in an assertion failure. This flaw is disclosed in - CVE-2017-3136.[RT #44653] + CVE-2017-3136. [RT #44653] diff --git a/lib/dns/api b/lib/dns/api index 6d12ddc1f9..b4a644a0e0 100644 --- a/lib/dns/api +++ b/lib/dns/api @@ -7,5 +7,5 @@ # 9.10: 140-149, 170-179 # 9.11: 160-169 LIBINTERFACE = 170 -LIBREVISION = 0 +LIBREVISION = 1 LIBAGE = 0 diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index db9f5714cb..6833b953c6 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -6946,15 +6946,15 @@ answer_response(fetchctx_t *fctx) { rdataset->attributes |= DNS_RDATASETATTR_CACHE; rdataset->trust = dns_trust_answer; - if (chaining == 0) { + if (external) { /* - * This data is "the" answer - * to our question only if - * we're not chaining (i.e. - * if we haven't followed - * a CNAME or DNAME). + * This data is outside of + * our query domain, and + * may not be cached. */ - INSIST(!external); + rdataset->attributes |= + DNS_RDATASETATTR_EXTERNAL; + } else if (chaining == 0) { /* * Don't use found_cname here * as we have just set it @@ -6976,14 +6976,6 @@ answer_response(fetchctx_t *fctx) { if (aa) rdataset->trust = dns_trust_authanswer; - } else if (external) { - /* - * This data is outside of - * our query domain, and - * may not be cached. - */ - rdataset->attributes |= - DNS_RDATASETATTR_EXTERNAL; } /* @@ -7158,15 +7150,12 @@ answer_response(fetchctx_t *fctx) { * If we are not chaining or the first CNAME * is a synthesised CNAME before the DNAME. */ - if ((chaining == 0) || - (chaining == 1U && synthcname)) + if (external) { + rdataset->attributes |= + DNS_RDATASETATTR_EXTERNAL; + } else if ((chaining == 0) || + (chaining == 1U && synthcname)) { - /* - * This data is "the" answer to - * our question only if we're - * not chaining. - */ - INSIST(!external); if (aflag == DNS_RDATASETATTR_ANSWER) { have_answer = ISC_TRUE; found_dname = ISC_TRUE; @@ -7183,9 +7172,6 @@ answer_response(fetchctx_t *fctx) { if (aa) rdataset->trust = dns_trust_authanswer; - } else if (external) { - rdataset->attributes |= - DNS_RDATASETATTR_EXTERNAL; } } diff --git a/version b/version index 990eb51935..9428afc4db 100644 --- a/version +++ b/version @@ -6,6 +6,6 @@ DESCRIPTION= MAJORVER=9 MINORVER=10 PATCHVER=5 -RELEASETYPE= -RELEASEVER= +RELEASETYPE=rc +RELEASEVER=2 EXTENSIONS=